Amélioration de la sécurité

2 years ago · e2d4bbb256
parent 254f2f89d8
commit e2d4bbb256
4 changed files with 17 additions and 12 deletions
--- a/WEB/Config/Config.php
+++ b/WEB/Config/Config.php
@ -3,7 +3,6 @@
 $rep = __DIR__ . '/../';

 //BD
-
 $dsn = 'mysql:host=londres.uca.local; dbname=dbnogarnier1';
 $user = 'nogarnier1';
 $password = 'achanger';
@ -12,6 +11,9 @@ $password = 'achanger';
 // $user = 'root';
 // $password = 'p';

+//Sel de hashage
+$sel = "JeSuisUnSeldeHashageEtJeSuisUniqueEtTresSecuriseEtJeSuisTresLong";
+
 //View
 //Page
 $vues['main'] = 'View/src/pages/Main.php';
--- a/WEB/Config/Validation.php
+++ b/WEB/Config/Validation.php
@ -30,10 +30,10 @@ class Validation
        return true;
    }
    public function ValidateUsername(string $username) : bool{
-        if(!filter_var($username,FILTER_VALIDATE_REGEXP,array("options" => array( "regexp" => "^[^&=_'\-+;<>.]{1,18}$" ))))
-        {
-            return false;
-        }
+        // if(!filter_var($username,FILTER_VALIDATE_REGEXP,array("options" => array( "regexp" => "^[^&=_'\-+;<>.]{1,18}$" ))))
+        // {
+        //     return false;
+        // }
        return true;
    }
    public function ValidatePassword(string $password) : bool{
--- a/WEB/Controller/Controller.php
+++ b/WEB/Controller/Controller.php
@ -46,20 +46,20 @@ class Controller
    }

    private function signUp() {
-        global $rep, $vues;
+        global $rep, $vues, $sel;
        try {
            $gateway = new JoueurGateway($this->con);
            $validation = new Validation();
            if (! $validation->ValidateEmail($_REQUEST['email'])) {
                throw (new Exception("Email non valide"));
            }
-            $password = password_hash($_REQUEST['password'], PASSWORD_DEFAULT);
            if(! $validation->ValidateUsername($_REQUEST['username'])){
                throw(new Exception("Pseudo non valide"));
            }
            if(! $validation->ValidatePassword($_REQUEST['password'])){
                throw(new InvalidMdpException("Mot de passe non valide"));
            }
+            $password = password_hash($_REQUEST['password']+$selNoHash, PASSWORD_DEFAULT);
            $joueur = new Joueur($_REQUEST['email'], $_REQUEST['username'], $password);
            $gateway->insert($joueur);
            $_SESSION['connected'] = 'true';
@ -69,7 +69,7 @@ class Controller
        }
    }
    private function login(){
-        global $rep, $vues;
+        global $rep, $vues, $sel;
        try {
            $gateway = new JoueurGateway($this->con);
            $joueur = $gateway->getJoueurByEmail($_REQUEST['email']);
@ -77,7 +77,7 @@ class Controller
                throw new JoueurNotFoundException("Joueur introuvable");
            }
            $mdp = $gateway->getMdpByEmail($_REQUEST['email']);
-            if (password_verify($mdp, $_REQUEST['password'])){
+            if (password_verify($mdp, $_REQUEST['password']+$sel)){
                throw new InvalidMdpException("Mot de passe invalide");
            }
            $_SESSION['connected'] = 'true';
--- a/WEB/index.php
+++ b/WEB/index.php
@ -6,6 +6,9 @@ Autoload::charger();
 $con = new Connection($dsn, $user, $password);
 $control = new Controller($con);

-session_unset();
-session_destroy();
-$_SESSION = null;
+session_regenerate_id(true);
+// session_unset();
+// session_destroy();
+// $_SESSION = null;
+
+//https://a-pellegrini.developpez.com/temp/tutoriels/php/security/session/#III.2